Advisories for Maven/Org.springframework/Spring-Websocket package

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.